There’s one more update to a 2014 breach that impacted 65,000 employees of UPMC. The civil suit by the employees settled in July, so this may be the last of the legal activity stemming from this case.
PITTSBURGH, PA – Justin Sean Johnson was sentenced on Friday to the statutory maximum sentence of 60 months’ incarceration for Conspiracy to Defraud the U.S., and the statutory maximum of 24 months for Aggravated Identity Theft, for a total of 84 months of incarceration, for hacking the human resources databases of the University of Pittsburgh Medical Center and stealing Personally Identifiable Information (PII) of more than 65,000 UPMC employees, Acting United States Attorney Stephen R. Kaufman announced today.
Chief United States District Judge Mark R, Hornak imposed the sentence on Johnson, aka TheDearthStar and Dearthy Star, age 30, formerly of Detroit, Michigan.
Johnson, known on the dark web as TheDearthStar and Dearthy Star, infiltrated and hacked into the UPMC human resource server databases in 2013 and 2014 and stole sensitive PII and W-2 information belonging to tens of thousands of UPMC employees. Johnson then sold the stolen information on dark web forums for use by conspirators, who promptly filed hundreds of false 1040 tax returns in 2014 using UPMC employee PII. These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela.
Additionally, Johnson, from 2014 through 2017 stole and sold nearly 90,000 additional (non-UPMC) sets of PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud.
The scheme resulted in approximately $1.7 million in false tax return refunds.
“Justin Johnson stole the names, Social Security numbers, addresses and salary information of tens of thousands of UPMC employees, then sold that personal information on the dark web so that other criminals could further exploit his victims,” said Acting U.S. Attorney Kaufman. “Today’s sentence sends a deterrent message that hacking has serious consequences.”
“The actions of criminals like Justin Johnson can have long-lasting and devastating effects on the lives of innocent people,” said Yury Kruty, Acting Special Agent in Charge of IRS-Criminal Investigation. “Johnson carried out his intricate scheme with no regard for his victims. Today’s sentencing will hopefully be a deterrent to other potential crooks who may be considering carrying out similar conduct.”
“The U.S. Secret Service today sends a message to Justin Sean Johnson and anyone who seeks to conceal their criminal activity in cyberspace and on the dark web that there is no hiding place we cannot find,” said U.S. Secret Service Pittsburgh Field Office Special Agent in Charge Timothy Burke. “Information compromise and identity theft victimize not only the individuals whose information is stolen, but also threaten our collective global security. I am immensely proud of the agents involved in bringing a just end to these crimes.”
“Investigating identity theft and protecting consumers victimized by these crimes is part of our mission. I fully commend the hard work and countless hours put forth by all the law enforcement agencies involved to bring this individual to justice,” said Lesley Allison, Postal Inspector in Charge of the Pittsburgh Division.
In imposing the sentence, Judge Hornak noted the severity of Mr. Johnson’s crimes, likening his behavior to a “bulldozer” through people’s personal lives when he “indiscriminately” hacked their PII.
Assistant United States Attorney Gregory C. Melucci is prosecuting this case on behalf of the government.
Agents from the Internal Revenue Service-Criminal Investigation, the United States Secret Service and the United States Postal Inspection Service, and Homeland Security Investigations conducted the investigation leading to the prosecution of Justin Johnson.
Source: U.S. Attorney’s Office, Western District of Pennsylvania